package cn.xy.commons.web;

import cn.hutool.core.io.IoUtil;
import cn.hutool.core.text.CharSequenceUtil;
import lombok.extern.slf4j.Slf4j;

import javax.servlet.ReadListener;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;

/**
 * XSS过滤处理
 *
 *  @author xy
 */
@Slf4j
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {

    public static final String CONTENT_TYPE = "Content-Type";

    public static final String APPLICATION_JSON_VALUE = "application/json";

    public XssHttpServletRequestWrapper(HttpServletRequest request) {
        super(request);
    }

    @Override
    public ServletInputStream getInputStream() throws IOException {
        //非json类型，直接返回
        if (!APPLICATION_JSON_VALUE.equalsIgnoreCase(super.getHeader(CONTENT_TYPE))) {
            return super.getInputStream();
        }
        //为空，直接返回
        String json = IoUtil.read(super.getInputStream(), StandardCharsets.UTF_8);
        if (CharSequenceUtil.isBlank(json)) {
            return super.getInputStream();
        }
        //xss过滤
        json = this.xssEncode(json);
        final ByteArrayInputStream bis = new ByteArrayInputStream(json.getBytes(StandardCharsets.UTF_8));
        return new ServletInputStream() {
            @Override
            public boolean isFinished() {
                return true;
            }

            @Override
            public boolean isReady() {
                return true;
            }

            @Override
            public void setReadListener(ReadListener readListener) {
                log.debug("XssHttpServletRequestWrapper");
            }

            @Override
            public int read() {
                return bis.read();
            }
        };
    }

    /**
     * xss处理
     *
     * @param value value
     * @return 过滤后的结果
     */
    private String xssEncode(String value) {
        value = value.replaceAll("eval\\((.*)\\)", "");
        value = value.replaceAll("[\"'][\\s]*javascript:(.*)[\"']", "\"\"");
        value = value.replaceAll("(?i)<script>|(?i)</script>", "");
        return value;
    }

}
